-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello Mark,
I remotely remember such an issue from a couple of months ago. Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 27.05.2015 um 23:29 schrieb Mark M: > Do you know this is an issue? it works fine on the Android device? > > > > On Wednesday, May 27, 2015 5:25 PM, Mark M <[email protected]> wrote: > > > Noel, > > I got it to work. I had to use ec instead of ecparam for the conversion like > this; > > openssl ec -in /etc/pki/eccCA/centos2ecc.key -inform PEM -outform DER -out > centos2ecc.key > > strongSwan can now load the private key and I can connect with my Android > client using ECDSA SHA384 certs :) > > Thank you very much for the help. > > Mark- > > > > > On Wednesday, May 27, 2015 5:18 PM, Mark M <[email protected]> wrote: > > > Not working, > > I am using this method to convert, maybe it is wrong? > > [root@CENTOS7 ~]# openssl ecparam -in /etc/pki/eccCA/centos2ecc.key -inform > PEM -outform DER -out centos2ecc.key > > > I am getting > > 00[LIB] file coded in unknown format, discarded > 00[LIB] building CRED_PRIVATE_KEY - ECDSA failed, tried 4 builders > 00[CFG] loading private key from > '/etc/strongswan/ipsec.d/private/centos2ecc.der' failed > > > > > > On Wednesday, May 27, 2015 5:10 PM, Noel Kuntze <[email protected]> > wrote: > > > > Hello Mark, > > Try converting the key from PEM to DER format. > > Mit freundlichen Grüßen/Kind Regards, > Noel Kuntze > > GPG Key ID: 0x63EC6658 > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > Am 27.05.2015 um 23:03 schrieb Mark M: > > Noel, > > > Here is a pastebin of the log with the settings you asked for - > > > http://pastebin.com/4T47jNNA > > > I am seeing this a problem > > > 1. > > 00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets' > > 2. > > 00[LIB] building CRED_PRIVATE_KEY - ECDSA failed, tried 4 builders > > 3. > > 00[CFG] loading private key from > > '/etc/strongswan/ipsec.d/private/centos2ecc.key' failed > > > > > > On Wednesday, May 27, 2015 4:32 PM, Noel Kuntze <[email protected] > > <mailto:[email protected]>> wrote: > > > > > Hello Mark, > > > Okay, what does charon say during daemon startup? > > Please create a log witht the following settings and post it here. > > You are encouraged to use a pastebin service. > > > default = 3 > > mgr = 1 > > ike = 1 > > net = 1 > > enc = 0 > > cfg = 2 > > asn = 1 > > job = 1 > > knl = 1 > > > Mit freundlichen Grüßen/Kind Regards, > > Noel Kuntze > > > GPG Key ID: 0x63EC6658 > > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > > Am 27.05.2015 um 22:25 schrieb Mark M: > > > Hi Noel, > > > > I did specify the key in ipsec.secrets. I am doing everything the same > > > way I did with RSA certificates that work fine. Here is my config and how > > > I generated the ECC keys and certs. I am thinking this is an issue with > > > how I genereated the ECC keys and certs? > > > > > openssl ecparam -genkey -name secp384r1 -out centos2ecc.key > > > > openssl req -new -key centos2ecc.key -out centos2ecc.csr -config > > > /etc/pki/newca/opensslc1.cnf -sha384 > > > > openssl x509 -req -in centos2ecc.csr -CA rooteccCA.crt -CAkey eccCA.key > > > -CAcreateserial -out centos2ecc.crt -days 365 -extensions v3_req -extfile > > > /etc/pki/newca/opensslc1.cnf -sha384 > > > > opensslc1.cnf file: > > > > [req] > > > distinguished_name = req_distinguished_name > > > req_extensions = v3_req > > > > [req_distinguished_name] > > > countryName = Country Name (2 letter code) > > > stateOrProvinceName = State or Province Name (full name) > > > localityName = Locality Name (eg, city) > > > organizationalUnitName = Organizational Unit Name (eg, section) > > > commonName = > > > > [v3_req] > > > basicConstraints = CA:FALSE > > > keyUsage = nonRepudiation, digitalSignature, keyEncipherment > > > subjectAltName = @alt_names > > > > [alt_names] > > > IP.1=10.X.X.X > > > IP.2=192.168.1.7 > > > ~ > > > > ipsec.secrets > > > > # /etc/ipsec.secrets - strongSwan IPsec secrets file > > > > : RSA centos2.key > > > : ECDSA centos2ecc.key > > > > > > [root@CENTOS7 <mailto:root@CENTOS7> <mailto:root@CENTOS7 > > > <mailto:root@CENTOS7>> ~]# vi /etc/strongswan/ipsec.conf > > > # leftsendcert=never > > > # right=192.168.0.2 > > > # rightsubnet=10.2.0.0/16 > > > # rightcert=peerCert.der > > > # auto=start > > > > #conn sample-with-ca-cert > > > # leftsubnet=10.1.0.0/16 > > > # leftcert=myCert.pem > > > # right=192.168.0.2 > > > # rightsubnet=10.2.0.0/16 > > > # rightid="C=CH, O=Linux strongSwan CN=peer name" > > > # auto=start > > > conn %default > > > keyexchange=ikev2 > > > > conn phone1ecc > > > left=%defaultroute > > > leftcert=centos2ecc.crt > > > leftsubnet=0.0.0.0/0 > > > leftid="C=US, ST=MA, L=SELF, O=SSCA, OU=SS, CN=192.168.1.7" > > > leftfirewall=yes > > > right=%any > > > rightsourceip=192.168.9.0/24 > > > esp=aes256-sha384-ecp384! > > > ike=aes256-sha384-ecp384! > > > auto=add > > > > > > > > On Wednesday, May 27, 2015 7:56 AM, Noel Kuntze <[email protected] > > > <mailto:[email protected]> <mailto:[email protected] > > > <mailto:[email protected]>>> wrote: > > > > > > Hello Mark, > > > > Well, did you enter the ECDSA private key in ipsec.secrets as you did > > > with the RSA key? > > > > Mit freundlichen Grüßen/Kind Regards, > > > Noel Kuntze > > > > GPG Key ID: 0x63EC6658 > > > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > > > Am 27.05.2015 um 04:52 schrieb Mark M: > > > > I am trying to use ECDSA certificates with my setup and I keep getting > > > > "no private key found" on my strongswan server when a client connects. > > > > I am using CentOS 7 and strongSwan 5.2.0. I am using the android client > > > > to connect and the certificate authentication works fine on the Android > > > > device. > > > > > Any ideas on what would cause the private key to not be found or be > > > > authenticated correctly? > > > > > > 14[CFG] using trusted ca certificate "C=US, ST=MA, L=SELF, O=SSCA, > > > > OU=SS, CN=192.168.1.7" > > > > 14[CFG] checking certificate status of "C=US, ST=MA, L=SELF, O=SSCA, > > > > OU=SS, CN=phone1ecc" > > > > 14[CFG] certificate status is not available > > > > 14[CFG] reached self-signed root ca with a path length of 0 > > > > 14[IKE] authentication of 'C=US, ST=MA, L=SELF, O=SSCA, OU=SS, > > > > CN=phone1ecc' with ECDSA-384 signature successful > > > > 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC > > > > padding > > > > 14[IKE] peer supports MOBIKE > > > > 14[IKE] no private key found for 'C=US, ST=MA, L=SELF, OU=SSCA' > > > > 14[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] > > > > 14[NET] sending packet: from 192.168.1.7[4500] to 70.162.232.57[5477] > > > > (88 bytes) > > > > > > > > > _______________________________________________ > > > > Users mailing list > > > > [email protected] <mailto:[email protected]> > > > > <mailto:[email protected] <mailto:[email protected]>> > > > > <mailto:[email protected] <mailto:[email protected]> > > > > <mailto:[email protected] <mailto:[email protected]>>> > > > > https://lists.strongswan.org/mailman/listinfo/users > > > > > _______________________________________________ > > > Users mailing list > > > [email protected] <mailto:[email protected]> > > > <mailto:[email protected] <mailto:[email protected]>> > > > <mailto:[email protected] <mailto:[email protected]> > > > <mailto:[email protected] <mailto:[email protected]>>> > > > https://lists.strongswan.org/mailman/listinfo/users > > > > > > > > > > > > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJVZjehAAoJEDg5KY9j7GZYeskP/iXdwalOvQ/4rZFG9hTSIx43 C48+/RIFN4nwg9Nf2INInd4UBMrWYrx5HowquD64yAT9XF1LhpRAuQ/S5Ebdq6yB e6K6sqYv4YehR87VqX5vANA4bnmUQCRJlNPSvLEJw4o3xnOrfcT8YIHkhAzOcg58 POs+WBOMyzQNnANtGkQHG7BKeAkmXm3XKHbdWxKW07eOAjsCTFJ1LB/DPSJiuPMX YCDfM7sv1Igs1laEteSNW4DBpnc12adXt0KHk0c7YXM4RcoOPVImeA1qsEtz6hYh /0XRsU5zf46uAet5lrSW2oFonP5uTpwOr+FkGsgTdpsON4q1/Mof0X22arE0GsQK cwWc8eMWZz97lsTxRV7cQjcH3a3Li1r+bpymLC9RIqRlFjWQogZ1wklVGu8X2HJx 3OZ4dLGQo4z3WUX2nVWW/qZKZ1QPWm+7/WdZ76SLxwzfYs92bp0Ssc9anA9lwY1c OBYUHfePApm+13MxvGQeTgW7NnWa5FS/t8SsNkTc3oDm7jolR4tWB2VFYC2/YgZR zqPxWE6bvAhiMPTDlE2Yr4LCCixKy8bvkHwdzGH+ZKfa0ettzm1zCGELqX1hZdwx aD6X4x50YdMaI77Gy9scoTo23izZ6ubEwSu26pUlo/3ttDIx3Rpq05c4+ct9vQ6X yHZQK5Dh9CCqfGXPKm5B =S3jF -----END PGP SIGNATURE----- _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
